ISE 2.0 Wireless Guest Setup Guide Secure Access How -To Guides Series Author: Jason Kunst Date: March 2016 SECURE ACCESS HOW-TO GUIDES Table of Contents About This Guide...................................................................................................................................................... 4 How Do I Get Support? ...................................................................................................................... 4 Using This Guide.................................................................................................................................. 4 Requirements ........................................................................................................................................ 7 Guest Access ............................................................................................................................................................. 8 Guest Access with Hotspot Guest Portals ................................................................................... 8 Guest Access with Credentialed Guest Portals .......................................................................... 8 Download Cisco ISE Software ............................................................................................................................ 9 Planning...................................................................................................................................................................... 11 Pre-setup Checklist ........................................................................................................................... 11 Installation and Setup of Cisco ISE on a VMware Server...................................................................... 13 Deploy ISE OVA as a Virtual Machine ........................................................................................ 14 Run ISE Setup .................................................................................................................................... 14 Install the ISE Patch .......................................................................................................................... 15 Configure WLC Basics ......................................................................................................................................... 16 Connect to WLC ................................................................................................................................. 17 Set Up Your Controller ............................................................................................................... 17 Create Your Wireless Networks .............................................................................................. 19 Connect WLC to Your Network ............................................................................................... 20 Assisted WLC & ISE Configuration with Setup Wizard.......................................................................... 22 Configuring the WLC for ISE Web Authentication ................................................................................... 33 Captive Portal Bypass Configuration ........................................................................................... 34 Configure the RADIUS Authentication Server on WLC ......................................................... 34 Configure the RADIUS Accounting Server on WLC................................................................ 35 Change WLAN Configuration to use ISE Web Authentication............................................. 36 Configure ACLs for Guest Redirection and Permit Access .................................................. 40 Configure an ACL to Redirect Guest Devices to ISE Guest Portal .............................. 40 Configure an ACL to Permit Guest Access to the Internet After Authenticated ....... 41 Configure ISE for Guest Access ...................................................................................................................... 42 Configure the Wireless Controller (WLC) as a Network Access Device (NAD) ............. 43 Authentication Policy Setup ............................................................................................................ 44 Cisco Systems © 2016 Page 2 SECURE ACCESS HOW-TO GUIDES Create an Authorization Profile to Redirect Guest Endpoints to ISE ................................. 44 Create an Authorization Profile to Permit Access .................................................................... 45 Create Authorization Policies for Guest Access ....................................................................... 46 Configure Minimum Settings for Self-Registration and Sponsored Guest Flows ...................... 50 Configure Guest Locations and Time Zones ............................................................................. 50 Configure the Portal to Use the Location (Self-Registration) ............................................... 51 Configure Required Settings for Sponsored Guest Flow ..................................................................... 52 Working with Sponsor Accounts.................................................................................................... 52 Using Sponsor Accounts from Active Directory ........................................................................ 52 Set up the Active Directory Sponsor Group in All_Accounts ................................................ 55 Configure Locations for Your Sponsor Group ........................................................................... 55 Setup ISE Sponsor Portal FQDN Based Access ..................................................................... 56 Configure Basic Portal Customization (Optional) .................................................................................... 58 Setting up a Well-known Certificate (Optional) ......................................................................................... 61 Create a Certificate Signing Request and Submit the CSR to a Certificate Authority .. 61 Import Certificates to the Trusted Certificate Store ................................................................. 63 Bind the CA-Signed Certificate to the Signing Request ......................................................... 64 Setting Changes for Admin & Guest Accounts (Optional) ................................................................... 66 Get Acquainted with the Administrator Password Policy ....................................................... 66 Change Guest Account Requirements........................................................................................ 66 What’s Next ............................................................................................................................................................... 68 Appendix A – Wireless Configuration ........................................................................................................... 69 Appendix B – Switch Configuration ............................................................................................................... 72 Cisco Systems © 2016 Page 3 SECURE ACCESS HOW-TO GUIDES About This Guide This guide describes the express process for configuring Cisco Identity Services Engine (ISE) with a Cisco Wireless Controller to provide Guest Access. Using the steps in this guide, you can set up guest access for your users in approximately two hours. Some aspects of this guide can be used for a WLC or ISE that has already been set up. This guide’s flow requires you to have a physical controller that has been reset (no config) and ISE web UI available so that we may step you through basic setup in the correct order. This guide is most helpful for those that have bought ISE Express (an inexpensive license for WLC/ISE), but maybe used by anyone that wants to configure the ISE and WLC from a clean install. This guide is for ISE 2.0. There are two types of portals supported by this guide: • • Guest Access with Hotspot Guest Portals Guest Access with Credentialed Guest Portals How Do I Get Support? For general support ISE Guest and wireless, please contact your local Cisco partner, account team, ISE Support community or the Cisco TAC. For questions around the licensing bundle known as ISE Express or specific issues with the ISE Wireless Guest Setup Guide or Wizard please email ise-express@cisco.com Using This Guide This guide has two parts that describe the activity required to install and configure Wireless Guest access using ISE and a Cisco Wireless Controller (WLC). Cisco Systems © 2016 Page 4 SECURE ACCESS HOW-TO GUIDES • Part 1 - Installing and configuring the Cisco Wireless Controller (WLC) and Identity Services Engine (ISE) Part 1 covers the installation, pre-setup, and configuration activities to get the WLC and ISE to a base starting point to work with the steps in Part 2. Part 1 – Installing and Configuring Cisco Identity Services Engine (ISE) and Wireless Controller (WLC) Install Cisco Identity Services Engine on VMWare Configure WLC Basics Deploy ISE OVA Setup Your Controller Run ISE Setup Create Your Wireless Network Install ISE Patch Connect WLC to Your Network Figure 1 Part 1 Flow - Installing and Configuring ISE and WLC Cisco Systems © 2016 Page 5 SECURE ACCESS HOW-TO GUIDES • Part 2 - Configuring the WLC and ISE for Guest Access - Part 2 covers the additional configuration steps for Cisco Wireless Guest Access with ISE. Part 2 – Configuring WLC and ISE for Guest Services Configure WLC for ISE Web Authentication Assisted WLC/ISE Configuration with ISE Express Wizard (Optional) Configure ISE for Guest Services Configure Minimum Settings for Self-Registration (Optional) Configure Required Settings for Sponsored Guest Flows (Optional) Configure Basic Portal Customization (Optional) Set Up a Well-known Certificate (Optional) Set Changes for Admin and Guest Accounts (Optional) What’s Next Cisco Systems © 2016 Page 6 SECURE ACCESS HOW-TO GUIDES Figure 2 Part 2 Flow - Configuring WLC and ISE for Guest Services Requirements • • • • Supported Virtual Environments o VMware version 8 (default) for ESX (i) 5.x o VMware version 11 (default) for ESX (i) 6.x o KVM on RHEL 7.0 (supported but not covered in this guide) Virtual machine running as a SNS-3415 appliance – see Table 2 of VMware Appliance Specifications Cisco Identity Services Engine Release 2.0 with latest patch Physical Cisco Wireless controller (WLC) running 8.0.121.0. For latest info reference the ISE compatibility chart. o • We recommend, if you’re not already running this code to upgrade after you complete the setup of the solution. For Sponsor Groups from Microsoft Active Directory, verify Supported External Identity Sources section of the ISE Network Component Compatibility Guide. Note: This guide is for a new Wireless Controller installation only. If this not a new installation, then perform a factory reset of the controller. Refer to the controller documentation for steps to reset the controller. If you still want to use the guide, then you can use it as a reference for configuration of the needed WLAN and ACL configurations. Cisco Systems © 2016 Page 7 SECURE ACCESS HOW-TO GUIDES Guest Access When people outside your company attempt to use your company’s network to access the Internet or resources and services on your network, you can provide them network access using Guest Access portals. Guests typically represent authorized visitors, contractors, customers, or other temporary users who require access to your network. There are two types of Guest Access portals supported by this guide: • • Guest Access with Hotspot Guest Portals Guest Access with Credentialed Guest Portals Guest Access with Hotspot Guest Portals The Guest Access with Hotspot Guest portal provides network access without requiring guests to establish usernames and passwords to connect. This type of Guest Access eliminates the overhead required to manage each individual guest account. When the guest connects to the network, they are redirected to the ISE Hotspot Guest portal where they must accept an Acceptable Use Policy (AUP) to gain access to the network and eventually the Internet. Guest Access with Credentialed Guest Portals The Credentialed Guest portal requires guests to have a username and password to gain access. Using a self-registration portal, the guest can create their own account to use to login to the Guest Portal. The self-registration portal can also be used along with credentials created by a Sponsor. A Sponsor can be an employee or lobby ambassador, for example. When the guest connects to the network, they are redirected to a portal that allows them to login with credentials created through self-registration or provided by a sponsor. After guests log in, they can be required to accept an Acceptable Use Policy (AUP) to gain access to the network. You can also set up access using a Sponsored Guest Portal, which requires users to have credentials created by a Sponsor. For more information about guest portals and features, refer to Cisco Guest Access. Cisco Systems © 2016 Page 8 SECURE ACCESS HOW-TO GUIDES Download Cisco ISE Software Download the latest Cisco ISE software and ISE patches using the ISE software download link. Software Download Click Cisco ISE Download Software to access the Cisco ISE software download page where you can download the following files: • ISE VM OVA File of ISE 2.0: Virtual SNS-3415 • ISE 2.0 latest patch – for more info on this release, please reference the release notes • ISE-2.0.0.306-virtual-SNS3415.ova Example: ise-patchbundle-2.0.0.306-Patch2-164765.SPA.x86_64.tar.gz ISE 2.0 Wireless Guest Setup Wizard (Recommended for automated configuration of WLC & ISE) o Supported on: Apple MAC OSX 10.9 and higher Microsoft Windows 7 and higher Note: When downloading the ISE Patch (tar.gz), some web browsers, such as OSX Safari, do not maintain the archive structure. You must maintain the archive structure when installing a patch, so we recommend using the Firefox or Google Chrome browsers. You can view a video about downloading Cisco ISE software by clicking the link below: • Introduction to ISE and how to download Cisco ISE software Cisco Systems © 2016 Page 9 SECURE ACCESS HOW-TO GUIDES Cisco Systems © 2016 Page 10 SECURE ACCESS HOW-TO GUIDES Planning Before you start installing and configuring ISE and the WLC, we recommend that you spend some time collecting information that you use during installation and configuration. We created a checklist you can use to help organize and record server information. Refer to this checklist as needed during the installation and configuration processes. Note: Before installing ISE, and while you are recording the Pre-setup Checklist information, make sure you have access to the following services. If these services are not available, the installation process may fail. • DNS (Internal Server ) • NTP and default gateway Verify the time is correct on your ESX and NTP hosts. Host times must to be synchronized for services and certificates to work correctly. Pre-setup Checklist Table 1 Pre-Setup Checklist No. Services Description Record info here 1 WLC System Name • Name of the controller system WLC System Name: _________________________ • Configured on WLC • Example: WLC 2 Wireless Controller IP, Subnet Mask and Gateway • Network information for the WLC • Configured on WLC & ISE Wireless Controller IP: _____________________ Subnet Mask: __________________________________ Gateway: _______________________________ 3 DHCP Server IP • DHCP Server in the network DHCP Server IP: _________________________ • Configured on WLC 4 Guest SSID • The network name your guests will access Guest SSID: ____________________________ • Configured on WLC • Example: yourcompany-guest 5 Guest VLAN (optional) If you are using the same network for guests as management network then this is not needed Cisco Systems © 2016 • The VLAN used for Guests Guest VLAN: ____________________________ • Configured on WLC • Example: 50 Page 11 SECURE ACCESS HOW-TO GUIDES 6 Guest Network IP Address, Subnet Mask, and Gateway • Controller needs an IP address on your Guest Network to talk to your guests • Configured on WLC Guest Network IP: _____________________ Subnet Mask: __________________________________ Gateway: _______________________________ 7 DNS Server IP • DNS Server in the network DNS Server IP: __________________________ • Configured on ISE 8 NTP Server IP • NTP Server in the network NTP Server IP: __________________________ • Configured on ISE 9 ISE IP, Subnet Mask and Gateway • Network Information for ISE • Configured on WLC & ISE ISE IP: ______________________ Subnet Mask: _________________________ Gateway: __________________ 10 11 ISE Hostname & Domain Management Network VLAN • Name and domain of your ISE Server ISE Hostname: __________________________ • Configured on ISE • Needs to be in DNS otherwise this solution won’t work ISE Domain: ____________________________ • The network that ISE & WLC will connect to on ESX (i) host • Configured on WLC & ESX(i) host Mgmt. Network VLAN: __________________ • Example: 100 12 Shared Secret Cisco Systems © 2016 • This is a password that will be shared between ISE and WLC for communications to secure the RADIUS channel. • Configured on WLC & ISE Shared Secret: ____________________________ Page 12 SECURE ACCESS HOW-TO GUIDES Installation and Setup of Cisco ISE on a VMware Server This part of the guide describes the tasks for installing and setting up ISE software on a VMware server. Figure 3 shows the workflow tasks in this part of the guide. This workflow represents the tasks that must be completed for a successful Guest Services deployment using ISE. Part 1 – Installing and Configuring Cisco Identity Services Engine (ISE) and Wireless Controller (WLC) Install Cisco Identity Services Engine on VMWare Configure WLC Basics Deploy ISE OVA Setup Your Controller Run ISE Setup Create Your Wireless Network Install ISE Patch Connect WLC to Your Network Figure 3 Part 1 Flow – Install Cisco ISE on WMWare Cisco Systems © 2016 Page 13 SECURE ACCESS HOW-TO GUIDES Deploy ISE OVA as a Virtual Machine You can use OVA templates to install and deploy Cisco ISE software on a virtual machine. In the previous task Download Cisco ISE Software you downloaded the OVA template from Cisco.com. To deploy an ISE OVA in your ESX(i) environment: Step Step Step Step Step Step Step Step 1 2 3 4 5 6 7 8 Open VMware vSphere client. Log in to VMware host. Choose File > Deploy OVF Template from the VMware vSphere Client. Click Browse to select the OVA template and click Next. Confirm the details in the OVF Template Details page and click Next. Enter a name for the virtual machine in the Name and Location page to uniquely identify it and click Next. Choose a data store to host the OVA. Click the Thick Provision radio button on the Disk Format page, and click Next. o Cisco ISE supports both thick and thin provisioning. However, we recommend that you choose thick provisioning for better performance. If you choose thin provisioning, operations such as upgrade, backup and restore, and debug logging that require more disk space might be impacted during initial disk expansion. Note: If you are asked to select Lazy or Eager Zeroed, select Lazy. Step 9 Step 10 Step 11 Verify the information in the Ready to Complete page. Check the Power on after deployment check box. Click Finish. Run ISE Setup In this section, you set up your ISE Virtual Machine using the VSphere Console Common-line Interface (CLI). When the installation process finishes, the virtual machine reboots automatically. When the Virtual Machine reboots, you will see the system prompt. Step 1 At the system prompt, enter setup and press Enter. o Step 2 The Setup Wizard appears and guides you through the initial configuration. Use the information you gathered in the Pre-setup Checklist section of this document to answer the questions form the Setup Wizard. o This example shows a sample output of the setup command. localhost login: setup Press 'Ctrl-C' to abort setup Enter hostname[]: ise Enter IP address[]: 10.1.100.22 Enter IP default netmask[]: 255.255.255.0 Enter IP default gateway[]: 10.1.100.1 Enter default DNS domain[]: yourdomain.com Enter primary nameserver[]: 172.16.168.183 Add/Edit another nameserver? Y/N : n Enter primary NTP server[time.nist.gov]: Cisco Systems © 2016 Page 14 SECURE ACCESS HOW-TO GUIDES Add/Edit secondary NTP server? Y/N : n Enter system timezone[UTC] : Enter username[admin]: Enter password: Enter password again: Bringing up network interface... Pinging the gateway... Pinging the primary nameserver... Do not use 'Ctrl-C' from this point on... Appliance is configured o For more information and details about the installation, please reference the Cisco ISE 2.0 Administration Guide section, Installing Cisco ISE Software on a VMware System. Install the ISE Patch After you set up the ISE Virtual Machine is up and running, use these instructions to install the latest patch. Step Step Step Step 1 2 3 4 Login to the ISE Admin UI at (http://iseapaddress) Navigate to Administration > System > Maintenance > Patch Management > Install. Click Browse and choose the patch that you downloaded from Cisco.com. Click Install to install the patch. o After the patch is installed, Cisco ISE logs you out and you must wait for a few minutes before you can log in again. Note: When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page Step 5 Navigate to Administration > System > Maintenance > Patch Management to return to the Patch Installation page. For more information on ISE patches reference Cisco ISE 2.0 Administration Guide section on Installing a Software Patch Cisco Systems © 2016 Page 15 SECURE ACCESS HOW-TO GUIDES Configure WLC Basics There are multiple ways one can configure the Cisco Wireless LAN Controller. In this guide we are using the WLAN Express Setup. For more information on the WLAN Express setup and the WLC configuration, select one of the following links: • • WLAN Express Setup Video Cisco WLAN Release Notes The flow diagram shown in Figure 4 shows the process to use when Configuring WLC Basics. Part 1 – Installing and Configuring Cisco Identity Services Engine (ISE) and Wireless Controller (WLC) Install Cisco Identity Services Engine on VMWare Configure WLC Basics Deploy ISE OVA Setup Your Controller Run ISE Setup Create Your Wireless Network Install ISE Patch Connect WLC to Your Network Figure 4 Part 1 Flow - Configure WLC Basics Cisco Systems © 2016 Page 16 SECURE ACCESS HOW-TO GUIDES Connect to WLC Before connecting all the components to configure Cisco wireless Guest Services, first establish communication between your laptop (computer) and the WLC. After you establish the initial communication between your laptop and the WLC, you can complete the hardware setup and software installation procedures. Set Up Your Controller To connect to the WLC perform the following steps: Step 1 Connect your admin laptop to Port 2 on the WLC as shown in Figure 5. Figure 5 Connect Laptop to WLC o Step 2 The laptop should get an IP address from subnet 192.168.1.0/24. Open a web browser and enter 192.168.1.1 to access the WLC Setup Wizard. o The WLC Setup user interface displays as shown in Figure 6. Cisco Systems © 2016 Page 17 SECURE ACCESS HOW-TO GUIDES Figure 6 Set Up Your Controller Step 3 Enter the credentials used to manage the controller. Refer to the Pre-Setup Checklist you completed in the Planning section. Table 2 Setup Your Controller Fields Field Description System Name WLC System Name Pre-checklist item number - 1 Country Your current country location Date & Time Your current date and time Timezone Select Timezone from the drop-down menu NTP Server IP address for the NTP server Pre-checklist item number - 8 Management IP Address IP address for managing the wireless controller Pre-checklist item number - 2 Cisco Systems © 2016 Page 18 SECURE ACCESS HOW-TO GUIDES Field Description Subnet Mask Subnet Mask for the WLC Pre-checklist item number - 2 Default Gateway Default Gateway for the WLC Pre-checklist item number - 2 Management Network VLAN Management Network VLAN Pre-checklist item number - 11 Step 4 Click Next to continue. o Next, create Your Wireless Networks. Create Your Wireless Networks Step 5 Click the X to deselect the Employee Network. Note: Setting up a wireless dot1x network for employees (internal users) is not covered in this guide. Step 6 Click the checkmark next to Guest Network, as shown in Figure 7: Figure 7 Create Your Wireless Network Cisco Systems © 2016 Page 19 SECURE ACCESS HOW-TO GUIDES Table 3 Create your Wireless Networks Fields Field Description Network Name Wireless Network (SSID) for your Guests Prechecklist item number - 4 Security Select the security type ‘Web Consent’ from options listed in the drop-down menu. Note: WPA is not supported for ISE Guest. VLAN Select the VLAN ‘New VLAN’ from the options listed in the drop-down menu VLAN IP Address IP address for your guest network Prechecklist item number - 6 VLAN Subnet Mask IP address for VLAN Sub Mask Prechecklist item number - 6 VLAN Default Gateway IP address for default gateway Prechecklist item number - 6 VLAN ID (optional) ID for VLAN (optional, if using management network, this is not needed) Prechecklist item number - 5 DHCP Server Address IP address for your DHCP server Prechecklist item number - 3 Step 7 Step 8 Enter the information required from the Pre-setup Checklist. Click Next to continue. o A confirmation screen displays with a message asking if you want to apply the WLC confirmation changes and informs you that your system will reboot after you click OK. Connect WLC to Your Network To better explain the scenarios and configurations listed in this document, look at the sample topology in Figure 8 Cisco Systems © 2016 Page 20 SECURE ACCESS HOW-TO GUIDES Figure 8 Sample Topology The Cisco 3560G switch in the Figure 8 Sample Topology provides basic connectivity to all the components. Configure all the ports on the switch for access VLAN 100, except Port 10, which must be configured as a Trunk port. Refer to Appendix A – Switch Configuration for more details on switch configuration. Note: After the WLC reboots the management function is now live on VLAN 100 (example 10.1.100.42) and will no longer respond via the old IP address. Step 1 Step 2 Disconnect the admin laptop from Port 2 on the WLC and connect it instead to Port 1 on the switch. Connect Port 1 on the WLC to the Trunk Port 10 on the switch. Your Switch trunkport should contain the Management VLAN (100) and Guest VLAN (50) in order to manage the controller and to provide guest access o Step 3 You should be able to again access the WLC using the admin PC. (Example: https://10.1.100.42). Setup your network for your access point discovery of the controller. To set up your access point, configure your network to discover the wireless controller. For more information about setting up discovery options in your network, please refer to the Wireless Controller documentation: http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configurationguide/b_cg80/b_cg80_chapter_01100101.html#ID302 Step 4 After you have setup the necessary discover option in your network, connect your Access Point to Port 8 Note: At this point, you should be able to see your Guest Wireless Network (SSID) from any client (Pre-Setup Checklist #4). This is a basic splash page from the controller and its not yet integrated to use the ISE Guest (Web Auth) Portals. Cisco Systems © 2016 Page 21 SECURE ACCESS HOW-TO GUIDES Assisted WLC & ISE Configuration with Setup Wizard Now that you have completed the basic installation and setup of the WLC and ISE, you have two options on how to proceed with the rest of the configuration. The recommended path is to use the ISE 2.0 Wireless Guest Setup Wizard to automate this task. The wizard runs on OS X and Windows. It will ask you the information required to connect and configure your system for your required Guest Flow. You should have previously downloaded Wizard. If not, download it here Cisco ISE Download Software. By using the wizard, you bypass most of the guide as seen in Figure 9. Cisco Systems © 2016 Page 22 SECURE ACCESS HOW-TO GUIDES Part 2 – Configuring WLC and ISE for Guest Services Configure WLC for ISE Web Authentication Assisted WLC/ISE Configuration with ISE Express Wizard (Optional) Configure ISE for Guest Services Configure Minimum Settings for Self-Registration (Optional) Configure Required Settings for Sponsored Guest Flows (Optional) Configure Basic Portal Customization (Optional) Set Up a Well-known Certificate (Optional) Set Changes for Admin and Guest Accounts (Optional) What’s Next Figure 9 Part 2 Flow – Configure WLC & ISE for Guest Services Note: After you have run through the ISE Wireless Guest Setup Wizard, the sections of this guide, starting with Configuring the WLC for ISE Web Authentication and ending with Configure Basic Portal Customization (Optional) are for reference only. Please proceed to the section, Setting Up a Well-known Certificate (Optional). Step 1 If you’re interested in manual configuration, then please proceed to the section Configuring the WLC for ISE Web Authentication Cisco Systems © 2016 Page 23 SECURE ACCESS HOW-TO GUIDES In Figure 10, the wizard lists the basic requirements before starting. It has a Debug Window option in the bottom left if you need to provide logs to the developers. In the bottom right you will notice the build #. Figure 10 ISE Wireless Guest Setup Wizard Launch Step 2 Step 3 Click Start. In Figure 8, choose the Portal Type (Guest Flow) you would like to send your guests through. These flows were explained earlier on in the section Guest Access. You can also select if you would like to customize your portal. Check the box to enable portal customization (optional), and select the Guest Flow you would like to use. Skip to Step 5 if you don’t want to work with customization at this time. You can configure your portals later. See the section Configure Basic Portal Customization (Optional) for more information. Cisco Systems © 2016 Page 24 SECURE ACCESS HOW-TO GUIDES Figure 11 Select Portal Type Step 4 Upload your logo, banner and choose your color theme as seen in Figure 12 and click Next. Note: This customization will be made to any of portal in your flow (Guest or Sponsor). Cisco Systems © 2016 Page 25 SECURE ACCESS HOW-TO GUIDES Figure 12 Portal Customization Step 5 Fill in the information required to configure your wireless controller. You gathered this information during the Planning phase using the Pre-setup Checklist. When complete, click Next. Note: The Gateway IP address is the default gateway of your WLC management network Cisco Systems © 2016 Page 26 SECURE ACCESS HOW-TO GUIDES Figure 13 Configure your WLC Step 6 The wizard will now connect to your wireless controller to get a list of available WLANs. Choose the Guest network that you configured when running through WLAN Express and click Next. Figure 14 Select WLAN Step 7 In Figure 15, the wizard will ask you for the necessary information in order to configure your ISE. This information was gathered using the Pre-setup Checklist. After you have entered the necessary information, click Next. Guest Location/Time Zone - It’s critical that you enter the correct time zone of your guests. For more information, or to configure more locations after the wizard has completed, reference the section Configure Guest Locations and Time Zones Choose your Sponsor Source - There is also an option to choose what identity source to use for your Sponsors. Here we show the option to use groups from your Active Directory. You can also choose to create a local user on ISE. For more information about these options, or to add another sponsor once the wizard has completed setup, reference the section Working with Sponsor Accounts. Note: Here we are showing the Sponsored Guest Flow using Active Directory group, since that’s a superset (and the most detailed) of the options that you will see when going through the wizard. In the Hotspot flow, you will not see any of these options, and the self-registration flow will not have the option to configure the Sponsor User Source. Cisco Systems © 2016 Page 27 SECURE ACCESS HOW-TO GUIDES Figure 15 Configure your ISE Step 8 Depending on the option you chose in Step 7, you will either see a screen to configure a Sponsor Account or point to your Active Directory. Since the local account is a simple procedure, we won’t highlight that option. If you chose to use local accounts, then skip to Step 10. If you chose to go with the Active Directory option as shown in Figure 16, please enter the information listed below and then click Next. The information here is simple. Enter the following: • Join Point Name: a basic label for your domain connection built on ISE • Active Directory Domain: domain where your groups to use as sponsors reside • AD Username/Password Cisco Systems © 2016 Page 28 SECURE ACCESS HOW-TO GUIDES Figure 16 Active Directory Settings Step 9 The wizard connects to your domain, and pulls down all the groups in your Active Directory. You may choose one or more groups that can access Sponsor Guests Accounts. After you have selected your accounts, click Next. Cisco Systems © 2016 Page 29 SECURE ACCESS HOW-TO GUIDES Figure 17 Select Groups Step 10 This step configures an easy URL for the sponsor portal. There are some dependencies on DNS to use this feature. Even if you haven’t setup your DNS, you can still configure this option now and setup your DNS later. For more information please refer to the section, Setup ISE Sponsor Portal FQDN Based Access. Either enter your FQDN or choose the option to do this at a later time. Click Start Figure 18 Configure Sponsor Portal FQDN Support for Apple Devices requires a special configuration that requires a reboot. For more information on this option, see the section Captive Portal Bypass Configuration. Cisco Systems © 2016 Page 30 SECURE ACCESS HOW-TO GUIDES In Figure 19, click OK to continue. Figure 19 Captive Portal Bypass Config Reboot As shown in Figure 20, the system configures both the Wireless Controller and ISE, and shows active status of each component’s state. Figure 20 Configuring Cisco Systems © 2016 Page 31 SECURE ACCESS HOW-TO GUIDES After the wizard configures the WLC and ISE, you will see a final status screen as seen in Figure 21. This screen provides you with the following information: • SSID: Name that a client will connect to. • Link to your guest portal. You can use this to see what the portal looks like. It can also be used to test the portal completely, like a user would see from a real device. • For Sponsored flow, it provides a link to the Sponsor Portal and also the easy URL (FQDN), when configured. Figure 21 Configuration Completed Step 11 Click Close. Note: Now that your system configuration has been completed, this tool can no longer be used to connect to your WLC or ISE unless you were to reset the configuration on both and start new. If you need to change any of the configurations or learn about the system as a whole, you can read through the rest of the document. Now that you have completed setup using the wizard, note that the following sections, starting with Configuring the WLC for ISE Web Authentication and ending with Configure Basic Portal Customization (Optional), are for reference only. Please proceed to the section Setting Up a Well-known Certificate (Optional). Cisco Systems © 2016 Page 32 SECURE ACCESS HOW-TO GUIDES Configuring the WLC for ISE Web Authentication In this next section, you will configure the necessary security settings on the WLC to work with ISE. RADIUS NAC allows ISE to send a Change of Authorization (COA) request,which allows the user to authenticate and access the network. Essentially, it gives ISE the ability to change the state of a client on the fly without requiring a new session. For example, after being redirected to ISE for portal authentication, the client is authenticated and allowed access to the network. The flow diagram shown in Figure 22 shows the process to use when Configuring the WLC for ISE Web Authentication. Part 2 – Configuring WLC and ISE for Guest Services Configure WLC for ISE Web Authentication Configure Captive Portal Bypass Configure Required Settings for Sponsored Guest Flows (Optional) Configure Basic Portal Customization (Optional) Configure WLC for RADIUS Authentication Set Up a Well-known Certificate (Optional) Change WLAN to Use Web Authentication Configure ACLS for Guest Access Configure ISE for Guest Services Set Changes for Admin and Guest Accounts (Optional) What’s Next Configure Minimum Settings for Self-Registration (Optional) Figure 22 Part 2 Flow - Configuring WLC for ISE Web Authentication Cisco Systems © 2016 Page 33 SECURE ACCESS HOW-TO GUIDES Captive Portal Bypass Configuration The Cisco Identity Services Engine software’s Guest Access is supported for many different clients and web browsers. To use the controller with Cisco ISE Guest Access and Apple (iOS and OS X) clients, you must complete the captive portal bypass configuration process. o For more information about using the Captive Portal Bypass command, please refer to the Configuring Captive Bypassing section of the Cisco Wireless Controller Configuration Guide for your version of ISE. To configure captive portal bypass, perform the following steps. Step 1 Using a SSH client such as Putty, connect to your wireless controller’s IP address. Note: You can also connect via console or telnet. Step 2 Step 3 Login to the controller CLI. Enter the command the following command: config network web-auth captive-bypass enable o Step 4 The controller prompts you to reboot. Log back into the CLI and display the status using the following command: show network summary Step 5 Locate the following line located on the last page. Tip: Tapping the spacebar twice takes you to the last page. Web Auth Captive-Bypass Step 6 .................. Enable Close the SSH session to the controller. Configure the RADIUS Authentication Server on WLC To configure ISE as the RADIUS Authentication Server, perform the following steps: Step 1 Step 2 Log onto the Wireless LAN Controller (WLC) server’s GUI. Select Security > AAA > RADIUS > Authentication from the menu on the left side, as shown in Figure 23. Cisco Systems © 2016 Page 34 SECURE ACCESS HOW-TO GUIDES Figure 23 Radius Authentication Servers Step 3 Click New. o The RADIUS Authentication Server screen displays, as shown in Figure 24. Figure 24 Radius Authentication Servers > New Step Step Step Step 4 5 6 7 Enter the ISE IP address and the Shared Secret. Enable Support for RFC 3576. Change Server Timeout to 5 seconds Click Apply. Configure the RADIUS Accounting Server on WLC To configure the RADIUS Accounting Servers, perform the following steps: Step 1 Step 2 Log onto the Wireless LAN Controller (WLC) server GUI. Select Security > AAA > RADIUS > Accounting from the menu on the left side, as shown in Figure 25. Cisco Systems © 2016 Page 35 SECURE ACCESS HOW-TO GUIDES Figure 25 Radius Accounting Servers Step 3 Click New. o The RADIUS Accounting Server screen displays, as shown in Figure 26. Figure 26 Radius Accounting Servers > New Step Step Step Step 4 5 6 7 Enter the ISE IP address and the Shared Secret. Change Server Timeout to 5 seconds Uncheck Network User Click Apply. Change WLAN Configuration to use ISE Web Authentication To change the WLC configuration to use RADIUS NAC for ISE Web Authentication, perform the following steps: Step 1 Step 2 Select WLANs. Select Guest SSID. Cisco Systems © 2016 Page 36 SECURE ACCESS HOW-TO GUIDES Figure 27 WLANs Step 3 Step 4 Click the Security tab. Click the Layer 2 tab. o Layer 2 Security tab options display, as shown in Figure 28. Figure 28 Security > Layer 2 Step 5 Step 6 Step 7 For Layer 2 Security, select None. Enable MAC Filtering. Click the Layer 3 tab. o Layer 3 Security tab options display, as shown in Figure 29. Figure 29 Security > Layer 3 Step 8 Step 9 Select None. Select AAA Servers. o The AAA Servers options displays, as shown in Figure 30. Cisco Systems © 2016 Page 37 SECURE ACCESS HOW-TO GUIDES Figure 30 Security > AAA Servers Step 10 Select and enable your ISE server IP under Server 1 label for Authentication and Accounting, as shown in Figure 31. Figure 31 Security > AAA Servers Step 11 Step 12 Click the Advanced Tab. The Advanced Tab options display, as shown in Figure 32. Figure 32 Advanced Step Step Step Step Step 13 14 15 16 17 Enable Allow AAA Override. Select None for Override Interface ACL. Under NAC State select RADIUS NAC using the drop-down menu. Enable Client User Idle Timeout and set to 1800 secs Click Apply. Cisco Systems © 2016 Page 38 SECURE ACCESS HOW-TO GUIDES Cisco Systems © 2016 Page 39 SECURE ACCESS HOW-TO GUIDES Configure ACLs for Guest Redirection and Permit Access This section describes how to configure an ACL on the WLC. The objective is to configure an ACL that allows guest clients to access guest services. Configure an ACL to Redirect Guest Devices to ISE Guest Portal Step 1 Go to the WLC GUI and choose Security > Access Control Lists > Access Control Lists. o The Access Control Lists page appears, as shown in Figure 33. This page lists the ACLs that are configured on the WLC. It also enables you to edit or remove any of the ACLs. Figure 33 Security > Access Control Lists Step 2 Step 3 Step 4 Click the New to create a new ACL. Enter guest-redirect as the name, as shown in Figure 34. Click Edit in order to create rules for the ACL. Figure 34 Access Control Lists Step 5 Click Apply. o You will be brought to the main listing, click the new ACL and you will see the following shown in Figure 35. Figure 35 Access Control Lists > Edit Cisco Systems © 2016 Page 40 SECURE ACCESS HOW-TO GUIDES Step 6 Step 7 Step 8 Click Add New Rule. The Access Control Lists > Rules page appears. Configure the rules as shown in Figure 36. Note: 10.1.100.22 is the IP address of ISE (use your ISE IP address) Figure 36 ACL Entry for Guest Redirection Configure an ACL to Permit Guest Access to the Internet After Authenticated Step 1 Step 2 The WLC wizard created an ACL on setup called guest-acl. Click the guest-acl ACL. Add the following two new rules after Sequence 2. Note: IT IS VERY IMPORTANT THAT THESE STEPS ARE DONE IN ORDER. • • Permit any to access the source ISE IP Permit any to access destination ISE IP o o Figure 37 shows the two new rules added after Sequence 2. Note the ACL below is not the full ACL the WLAN Express created, just part of it to show where you need to inject the extra ACEs Figure 37 ACL Entry for Guest Permit Note: 10.1.100.22 is the IP address of the ISE server. Use your ISE IP address for the new rules. o This completes the first part of the Cisco Identity Services Engine with WLC for Guest Services process - Installing and configuring Cisco Wireless Controller (WLC). Cisco Systems © 2016 Page 41 SECURE ACCESS HOW-TO GUIDES Configure ISE for Guest Access Now that you have configured the Wireless Controller to work with ISE Web Authentication, you must complete the necessary steps on ISE. The flow diagram shown in Figure 38 shows the process for Configuring ISE for Guest Services. Part 2 – Configuring WLC and ISE for Guest Services Configure WLC for ISE Web Authentication Configure Required Settings for Sponsored Guest Flows (Optional) Configure ISE for Guest Services Configure Basic Portal Customization (Optional) Configure WLC as a Network Access Device Set Up a Well-known Certificate (Optional) Create an Authentication Policy Set Changes for Admin and Guest Accounts (Optional) Create an Authorization Profile Create an Authorization Policy What’s Next Configure Minimum Settings for Self-Registration (Optional) Figure 38 Part 2 Flow - Configure ISE for Guest Services Cisco Systems © 2016 Page 42 SECURE ACCESS HOW-TO GUIDES Configure the Wireless Controller (WLC) as a Network Access Device (NAD) Step 1 Step 2 Step 3 Login to ISE Admin UI. Navigate to Administration > Network Resources > Network Devices. Select Add, as shown in Figure 39. Figure 39 Add Network Device o The Network Devices edit page displays, as shown in Figure 40. Figure 40 New Network Device Addition Step Step Step Step Step 4 5 6 7 8 Enter a device name. Enter the device IP Address. Enable Authentication Settings. Enter the Shared Secret (Pre-checklist item number - 12). Click Submit. Cisco Systems © 2016 Page 43 SECURE ACCESS HOW-TO GUIDES Authentication Policy Setup An authentication policy allows you to statically define the allowed protocols and the identity source or identity source sequence that Cisco ISE will use for communication. Cisco ISE provides a preconfigured working authentication policy for guest access by default. Viewing Default Authentication Policy To view the preconfigured default authentication policy, perform the following steps: Step 1 Step 2 Login to ISE Admin UI. Navigate to Policy > Authentication. o The Default Authentication Policy page appears, as shown in Figure 41. Figure 41 Default Authentication Policy In the default authentication policy, MAB for unknown internal endpoints is set to Continue, which allows guest endpoints (which are unknown) to continue authentication and be authorized for redirection to the guest portal. Create an Authorization Profile to Redirect Guest Endpoints to ISE When endpoints first access the network, they are authenticated with MAB, and must be redirected to the guest portal for authorization. ISE 2.0 comes with a built-in profile called Cisco_WebAuth. You will modify this to work with your guest installation. Step Step Step Step 1 2 3 4 Navigate to Policy > Policy Elements > Results. Expand Authorization and click Authorization Profiles. Select Cisco_WebAuth Change the profile to work for your setup: o o Under Web Redirection choose the type of Redirection: Hotspot or Centralized Web Authentication (used for Self-Registration or Sponsored Guest Flows). ACL: The ACL is case-sensitive and must match the name configured in the WLC. Use guest-redirect as configured in the Configure ACLs for Guest redirection and Permit Access section. Note: The ACL is case-sensitive and must match the definition in WLC exactly. o Value: Choose the appropriate default portal (Hotspot, Self-Registration, or Sponsored). Cisco Systems © 2016 Page 44 SECURE ACCESS HOW-TO GUIDES Step 5 Click Save. Example of a Hotspot Profile for Redirection Figure 42 Authorization Profile for Hotspot Example of a Credentialed Redirection Figure 43 Authorization Profile for Credentialed Redirection Create an Authorization Profile to Permit Access In this section, you create a new authorization profile to permit network access after the user/device has authenticated. To create an authorization profile to permit access, perform the following steps: Step 1 Step 2 Step 3 Navigate to Policy > Policy Elements > Results. Expand Authorization and click Authorization Profiles. Click Add. o The New Authorization Profile screen appears. Cisco Systems © 2016 Page 45 SECURE ACCESS HOW-TO GUIDES Figure 44 Authorization Profile for Guest Permit Step 4 Enter the following information, as shown in Figure 44: o o o Name: Guest Permit Description: Internet Access for Guests Check Airespace ACL Name and enter: guest-acl Note: The ACL is case-sensitive and must match the definition in WLC exactly. This ACL was created previously in the Configure ACLs for Guest Redirection and Permit Access section. Step 5 Click Submit. Create Authorization Policies for Guest Access Create the necessary authorization rules to facilitate a redirection to the guest portal. Creating authorization rules also enables quick access, based off endpoint group, once the device or user authenticates. ISE 2.0 includes built-in rules which we will modify to work with the setup. Step Step Step Step Step Step Step 1 2 3 4 5 6 7 Navigate to Policy > Authorization. Click Edit on the Wi-Fi_Redirect_to_Guest_Login rule line. On the left side of the line click the Status pull down and change it to Enabled. Click Done. Click on the arrow next to Edit, on the Wi-Fi_Redirect_to_Guest_Login rule line. Insert New Rule Above. Add a new rule to match what you have setup, as shown in Figure 45. Figure 45 Authorization Policy Rules Step Step Step Step 8 9 10 11 Create the second rule as the permit rule. Name the rule: GuestPermit. Select If GuestEndpoint and Wireless_MAB. Choose your GuestPermit Authorization profile. Cisco Systems © 2016 Page 46 SECURE ACCESS HOW-TO GUIDES Step 12 Step 13 Click Done. Click Save. The configuration flow for any portal type is to present a page where the user accepts an AUP (hotspot) or logs in to a Credential Portal. Key Point! The configuration shown above is a simple authorization, which is based off the Endpoint Group. A user/device comes into the network. They accept an AUP (Hotspot) or enter some credentials (Credentialed Flow) where the device is registered into GuestEndpoints. Then they are given access based off that Endpoint Group. The user/device will not be redirected to accept the AUP or login to the portal again until the device is manually purged or passes the 30 day mark (default setting). If you would like to change the purge date, configure the setting Purge endpoints in this identity group when they reach __ days old • Hotspot flow, this is configured under the Portal Settings for Hotspot Guest Portals. • Credentialed flow, this is done using the Guest Type, referenced under Create or Edit Guest Types. Another option of granting access to the network for the Credentialed Guest Flow is to base your Authorization Rules off the Guest Flow or the Guest Type accessing the network. This configuration allows you to restrict users by the settings of the Guest Type. For example: Maximum account duration, Allow access only on these days and times, Maximum simultaneous logins and more, as described in Create or Edit Guest Types. This requires the user to login to the portal every time they have a new network session. For example, a user would put their device to sleep, resume, and get a new wireless session ID, as configured in the WLC User Idle Timeout value (default of 180 seconds). This configuration is only for Credentialed flows: The first example, seen in Figure 46 is a simple method of allowing any type of Guest to be permitted to the network through the Guest Flow. This flow comes built-in but you will to change the permissions for the WiFi_Guest_access to use your Authorization Profile for Guest Permit. The second example, seen in Figure 47 allows you to grant access depending on the Guest Type. A contractor could have special access when compared to a regular Guest Figure 46 Authorization Rules for Basic Guest Flow Cisco Systems © 2016 Page 47 SECURE ACCESS HOW-TO GUIDES Figure 47 Authorization Rules depending on Guest Type You just completed the required steps to get a portal up and running. If you are using a Hotspot portal for Guest Access, you can skip to the section Configure Basic Portal Customization (Optional). If you are using the self-registration or sponsored flows (Credentialed Guest Access), then additional configuration is required. Please continue with the next section, Configure Minimum settings needed for Self-Registration and Sponsored Guest Flows. Figure 48 shows the process you will use to configure Credentialed Guest Flows. Part 2 – Configuring WLC and ISE for Guest Services Configure WLC for ISE Web Authentication Configure Basic Portal Customization (Optional) Configure ISE for Guest Services Set Up a Well-known Certificate (Optional) Configure Minimum Settings for Self-Registration (Optional) Set Changes for Admin and Guest Accounts (Optional) Configure Required Settings for Sponsored Guest Flows (Optional) What’s Next Figure 48 Configuring ISE for Credentialed Access Cisco Systems © 2016 Page 48 SECURE ACCESS HOW-TO GUIDES Cisco Systems © 2016 Page 49 SECURE ACCESS HOW-TO GUIDES Configure Minimum Settings for Self-Registration and Sponsored Guest Flows Configure Guest Locations and Time Zones These settings are required to support self-registered and the sponsored guest flows. You only need to setup the location(s) your guest will be accessing the network from, so that your guest or sponsor can easily choose the time zone when the account will be activated. Note: This is very important. If you don’t configure a location, then the account will not activate at the correct time. The user will not be able to login. You will also need to make sure that the time on your ISE server is correct. If its only a few minutes faster than your browser, then you may notice it takes a few minutes for the accounts created using self-registration, or for sponsored flows to start working. The message shown to the end user using the guest portal is Authentication failed. On ISE under Operations > Authentications , you will see entry details stating that the Account is not yet active. For ease of use, if only one location is configured in your portal and sponsor group, then guests and sponsors will not be presented the option to select location. Deployments in the PST time zone can use the San Jose location that is built into ISE. If that time zone is acceptable, then skip to the section Configure Required Settings for Sponsored Guest Flow. You will not be able to change the name of the default San Jose location. You do not need to remove it because it is not displayed if you do not choose to use it. For more information on location and SSIDs, see Assign Guest Locations and SSIDs in the Administrators guide. To configure guest locations and time zones, perform the following steps. Step 1 Step 2 Navigate to Guest Access > Settings > Guest Locations and SSIDs. The Guest Locations and SSIDs page displays, as shown in Figure 49. Figure 49 Configure Guest Location Step 3 Enter a Location Name and Time zone. Example: Boston (EST) using EST5EDT or America/New York. Cisco Systems © 2016 Page 50 SECURE ACCESS HOW-TO GUIDES Note: Do not delete the San Jose Location. Step 4 Step 5 Click Add. Click Save. Configure the Portal to Use the Location (Self-Registration) You must configure the self-registration portal to use this newly added location. If you are not using Self-Registration, then please skip to the section below, Configure Required Settings for Sponsored Guest Flow. Otherwise, continue to the section, Setting Up a Well-known Certificate (Optional). Note: If San Jose (PST time) as a default is acceptable, then you may skip this section. Step Step Step Step Step Step 1 2 3 4 5 6 Navigate to Guest Access > Configure > Guest Portals. Choose the Self-registered Guest portal. Collapse Portal Settings and Login page settings. Under Self-Registration Page Settings, Location: Add in the location you created, as shown in Figure 50. Click Add. Click Submit. Figure 50 Guest Portal Choose Location Cisco Systems © 2016 Page 51 SECURE ACCESS HOW-TO GUIDES Configure Required Settings for Sponsored Guest Flow The following steps are required to support Sponsored Guests. If you are only using Self-Registration, then setup is complete, and you can skip this process and move to the section Setting Up a Well-known Certificate (Optional). Working with Sponsor Accounts Setup your sponsors by either creating an internal account or configuring ISE to integrate with Active Directory. If you are integrating with Active Directory, skip to the section Using Sponsor Accounts from Active Directory. To create an internal account, perform the following steps. Step Step Step Step Step Step 1 2 3 4 5 6 Navigate to Administration > Identity Management > Identities > Users. Click Add. Fill in the information for the Sponsor. Select ALL_ACCOUNTS (default), under User Groups. Click Submit. Skip to the section Configure Locations For Your Sponsor Group. Using Sponsor Accounts from Active Directory The following two sections are only needed if you are integrating your Guest Access system with an Active Directory server that contains your sponsor groups. If you are planning to use Sponsor accounts created on ISE (completed in the previous section), and do not wish to combine them with AD, then you can skip below to Configure Locations For Your Sponsor Group. For more information, refer to Active Directory as an External Identity Source in the ISE Configuration Guide. To create sponsor accounts from Active Directory, perform the following steps. Step 1 Step 2 Step 3 Navigate to Administration > Identity Management > External Identity Sources. Select Active Directory. Click Add, as shown in Figure 51. Figure 51 Add Active Directory Join Point Step 4 As shown in Figure 52, enter the Join Point Name and Active Directory Domain. Cisco Systems © 2016 Page 52 SECURE ACCESS HOW-TO GUIDES Step 5 Click Submit. Figure 52 Configure Join Point Connection Step 6 Step 7 You are prompted with: “Would you like to Join all ISE Nodes to the Active Directory Domain”, click Yes. You are asked to enter your credentials for joining the domain. This includes specifying the Organizational Unit (optional). See the info buttons for more details on what is required. Note: The domain credentials are not saved by ISE. This is a one time use to setup the initial connection for the machine account. Figure 53 Join AD Domain Step 8 You will see a Successful message as shown in Figure 54. Click Close. Cisco Systems © 2016 Page 53 SECURE ACCESS HOW-TO GUIDES Figure 54 Join Operation Status Step 9 Step 10 Click the Groups tab. Click Add, select Groups from Directory as seen in Figure 55. Figure 55 Select Groups from AD Step 11 Step 12 Click Retrieve Groups, as shown in Figure 56. After you choose the groups that contain the users who will be sponsoring guests, click OK at the bottom of the page. Figure 56 Select Directory Groups Step 13 After you choose your groups your screen will look like Figure 57 . Click Save at the bottom of this Groups page. Figure 57 Groups Cisco Systems © 2016 Page 54 SECURE ACCESS HOW-TO GUIDES You have now completed setup of Active Directory Groups that can be used to assign to your sponsor groups. Set up the Active Directory Sponsor Group in All_Accounts The following steps show how to associate the group containing your sponsors or employees to the sponsor group. In this example, we use Domain Users. Step 1 Navigate to Guest Access > Configure > Sponsor Groups > ALL_ACCOUNTS. o The Sponsor Group page displays, as shown in Figure 58. Figure 58 Select Sponsor Group Members Step 2 Click the Member and move Domain Users over to the Selected User Groups area, as shown in Figure 36. Figure 59 Select Sponsor Group Members Step 3 Click OK. Configure Locations for Your Sponsor Group It is important to configure the correct locations to use when sponsors create your guest accounts. If you’re ok using the San Jose location, you may skip over this section. Otherwise add your new location. Step 1 Step 2 Select the locations you want your sponsors to use from the Select the locations that guests will be visiting section, as shown in Figure 60. Remove the locations you do not need. Cisco Systems © 2016 Page 55 SECURE ACCESS HOW-TO GUIDES Figure 60 Select Locations for Guest Type Step 3 Step 4 Scroll to the top of the page and click Save. Click Close. Setup ISE Sponsor Portal FQDN Based Access A sponsor portal allows a sponsor to create temporary accounts for guests, visitors, contractors, consultants, or customers to perform HTTP or HTTPS login to gain access to the network. The network could be a corporate network or access could provide access to the Internet. There are two ways to access the Sponsor Portal via the ISE admin UI without any special configuration. • • Manage Accounts Button - This is reserved for Administrators Portal Test URL - This URL can be sent to your sponsors so they can easily bookmark the site – This is the default The recommendation is to provide your sponsors with an easy Sponsor Portal URL. Here is an example: http://sponsorportal.yourcompany.com Follow the steps below to see how to provide access to a complex URL or an easy one. Step 1 Step 2 Navigate to Guest Access > Configure > Sponsor Portals. Click on Sponsor portal (default), the Portal Settings pane appears as shown in Figure 61. Figure 61 Sponsor Settings Step 3 Click on the Portal test URL and a new browser window will open. Note: This is an example URL you would need to send to your sponsors if you don’t proceed with the steps below for FQDN portal name. “https://ise.securitydemo.net:8443/sponsorportal/PortalSetup.action?portal=28981f50-e96e-11e4-a30a005056bf01c9” Cisco Systems © 2016 Page 56 SECURE ACCESS HOW-TO GUIDES Step 4 Step 5 Close the Portal Test URL window. Under Portal Settings locate the Fully Qualified Domain Name (FQDN) section as shown in Figure 62, then enter “sponsorportal.yourcompany.com” Figure 62 Portal Settings > FQDN Step 6 Scroll to the top and click Save. You now need to update your DNS to ensure this FQDN resolves to your ISE IP address. This may be accomplished by using a CNAME Alias pointing sponsorportal.yourcompany.com to yourise. Cisco Systems © 2016 Page 57 SECURE ACCESS HOW-TO GUIDES Configure Basic Portal Customization (Optional) The following section is not required to get your system up and running for Guest access. It is an optional step to help familiarize basic customization options for your new Guest portal. If you’re not interested in customizing your portal please continue to the section Setting Up a Well-known Certificate (Optional). For more information on Guest Customization please reference the Customize End-User Web Portals section of the Administrator’s guide and the HowTo: ISE Web Portal Customization Options at our Design guide site To customize a guest portal, perform the following steps. Step 1 Step 2 Click Guest Access > Configure > Guest Portals. Click on the portal you are using (Hotspot, Self-Registered or Sponsored) to edit that portal. o The portal that is active is shown with a Green encircled check, as shown in Figure 63. Figure 63 Active Hotspot Portal Step 3 Click on the Page Customization section at the top of the page, as shown Figure 64. Figure 64 Portal Page Customization o Step 4 ISE gives you basic customization built right into the product. It also makes it easier to see what changes you are making in real-time. We won’t go into detail of all of these, but notice at the top of the page you can change things like the logos, banner and main text elements. You can also choose from some built in color themes. To change the theme colors of your portal, use a built-in Portal theme or use the Tweaks to modify your colors, as shown in Figure 65. Cisco Systems © 2016 Page 58 SECURE ACCESS HOW-TO GUIDES Figure 65 Page Customization Options Step 5 You can upload a logo and a banner to use with your portal. Below this main section in the UI is where you can tweak the overall look and feel. You can also go into each of the pages. Depending on your portal settings and portal type, you see different options on the left hand side of the page. You can tweak the text in the different areas on the page. There is also a mini-preview that shows your changes to the portal. Figure 66 Portal Customization Mini Editor and preview Step 6 After doing some basic customization, check out the desktop preview (same as the portal test URL at the top of the page) by clicking on the option in the bottom right of the mini preview. Note: You can also test the full flow a user would go through without using a real client by using the Portal test URL at the top of the page. Step 7 Step 8 Close the desktop preview browser window. Click Save at the top of the page. As shown in Figure 67. Figure 67 Save customization Cisco Systems © 2016 Page 59 SECURE ACCESS HOW-TO GUIDES You have now completed basic customization of your guest portal. You can also do the same with your Sponsor Portal, if you’re using Sponsored Guest Access. To do this, navigate to Guest Access > Configure > Sponsor Portals > Select the default portal, and follow the same steps you used to customize your Guest Portal. You can continue with the next section Setting Up a Well-known Certificate (Optional) or Skip to What’s Next. Cisco Systems © 2016 Page 60 SECURE ACCESS HOW-TO GUIDES Setting up a Well-known Certificate (Optional) The following section is not required to get your system up and running for guest access, but it is highly recommended. To ensure that your users will not have to accept an invalid certificate when connecting to the Guest, Sponsor or Administrator Portal(s) via their web browser, use a certificate that has been signed by a well-known Certificate Authority for your ISE server. If you would like to skip this section for now, you may continue to the section, What’s Next. You are done with the minimum setup. SSL.com is one known vendor that has full support for the certificate type being recommended in this guide, but there are other providers that will work. Note: Each certificate provider may refer to the certificate type with a different name. It often helps to call the company or use their online web-chat to explain what is needed w/ the SAN field(s). Tell them you are looking for a certificate that contains a wildcard and FQDN both in the SAN field, with an FQDN in the CN= field. For more information on wildcard certificates and certificate in general please reference the following documents: • ISE Administrator Guide - Wildcard Certificate Support in Cisco ISE • Moving Packets Article - When SSL Certificates Go Wild • Aaron Woland Network World Blog - Wildcard certificates and how to use with ISE • Aaron Woland How To Guide - HowTo: Implement Cisco ISE and Server Side Certificates The steps listed in the next process show an example of setting up a Unified Communications Certificate (UCC) with wildcard in the SAN from SSL.com, which is a subordinate of Comodo. Create a Certificate Signing Request and Submit the CSR to a Certificate Authority Step 1 Step 2 Step 3 Navigate to Administration > System > Certificates > Certificate Signing Requests. Click Generate Certificate Signing Requests (CSR). Enter the values for generating a CSR, as shown in Figure 68. Cisco Systems © 2016 Page 61 SECURE ACCESS HOW-TO GUIDES Figure 68 Enter info for generating a CSR Usage Certificate(s) will be used for: Multi-Use Allow Wildcard Certificates: Checked Subject Common name: yourdomain.com. Replace the other sections of the subject with the information according to your organization. Subject Alternative Name (SAN)= SAN DNS Name 1 = yourise.yourcompany.com SAN DNS Name 2 = *.yourcompany.com Leave the last two fields at the defaults Step 4 Click Generate to generate the CSR. The CSR is generated, as shown in Figure 69. Figure 69 Successfully generated CSR Step 5 Step 6 Step 7 Step 8 Click Export to save the file Open the file in a text editor. Copy all the text from “---- BEGIN CERTIFICATE REQUEST-----“ through “-----END CERTIFICATE REQUEST----.” Paste the contents of the CSR in to the certificate request of a chosen CA. Cisco Systems © 2016 Page 62 SECURE ACCESS HOW-TO GUIDES Figure 70shows the SSL.com portal. Figure 70 SSL.com Portal Step 9 Download the signed certificate. Note: Some CAs might email the signed certificate to you. The resulting download or email attachment is often in the form of a zip file that contains the newly signed certificate and the public signing certificates of the CA. Save the digitallysigned certificate, root CA certificate, and other intermediate CA certificates (if applicable) to the local system running your client browser to be imported in the next sections. Import Certificates to the Trusted Certificate Store In this section you will import the necessary certificates to allow the client and server communication to be trusted. Along with the server certificate, ISE also presents the root and intermediate (if required) certificates to the client when communicating. Note: Not all providers have intermediate certificates that are required to be installed. Intermediate certificates come from the subordinate CA(s). This example is using SSL.com, which is a subordinate of Comodo. Comodo is a subordinate to the AddTrust root CA. Therefore, this example is importing a Root Certificate as well as the certificates for the two subordinates. To import all three certificates, perform the following steps. Step 1 Step 2 Navigate to Administration > System > Certificates > Trusted Certificates. Click Import. • • • Step 3 Root CA: AddTrustExternalCARoot.crt Subordinate CA: SSLcomDVCA_2.crt Subordinate CA: USERTrustRSAAddTrustCA.crt The Import a new Certificate into the Certificate Store pane displays as shown in Figure 71. Cisco Systems © 2016 Page 63 SECURE ACCESS HOW-TO GUIDES Figure 71 Import a new Certificate into the store Step 4 Use these steps to import the following certificates: • • • Step Step Step Step 5 6 7 8 Step 9 Step 10 Step 11 Root CA: AddTrustExternalCARoot.crt Subordinate CA: SSLcomDVCA_2.crt Subordinate CA: USERTrustRSAAddTrustCA.crt Click Browse to select the root CA certificate. Enter a Friendly Name. Choose the root certificate returned by your CA. Under Trusted For: Check the boxes for Trust for Authentication within ISE and Trust for client authentication and Syslog. It is also recommended that you select Validate Certificate Extensions Enter a description. Click Submit. Bind the CA-Signed Certificate to the Signing Request Now that you have received the digitally signed certificate returned by your CA, and imported the CA certificates, the next step is to bind the certificate signed by the CA to the CSR from ISE. This pairs the certificate and private key that was used to generate the CSR. Step 1 Step 2 Step 3 Navigate to Administration > System > Certificates > Certificate Signing Requests. Select the entry for your signing request. Click Bind Certificate, as shown in Figure 72. Figure 72 Select Certificate to Bind Step Step Step Step 4 5 6 7 Click Browse to choose the CA-signed certificate. Specify a Friendly Name for the certificate. Under Usage check the following options: Admin, EAP Authentication, Portal For Portal Group Tag select Default Portal Certificate Group Cisco Systems © 2016 Page 64 SECURE ACCESS HOW-TO GUIDES Step 8 Click Submit to bind the CA-signed certificate, as shown in Figure 73. After you click submit the system restart and will be inaccessible for ~5 min Figure 73 Bind Signed Certificate You are done setting up ISE with a well-known certificate for ISE 2.0 For more information on working with certificates, please reference the Managing Certificates section of the Cisco ISE 2.0 Administration Guide. Cisco Systems © 2016 Page 65 SECURE ACCESS HOW-TO GUIDES Setting Changes for Admin & Guest Accounts (Optional) After your system is up and running, we recommended that you change the default settings for the following accounts: o Familiarize yourself with the Administrator account password policy to prevent lockouts. o Set the Guest default username and password requirements to make it easier for your users to manage and login. Get Acquainted with the Administrator Password Policy A common issue seen when setting up ISE is that people forget to change their administrator account settings and they end up being locked out of the system if they haven’t used it for a while. It’s best to familiarize yourself with the requirements so that you understand them, and don’t get locked out if you don’t access the system for a while. Navigate to Administration > System > Admin Access > Password Policy Change the settings as necessary. For example, Password Lifetime uncheck or extend the line for expiration. Change Guest Account Requirements Out of the box, the ISE Guest solution has some fairly difficult password settings. These passwords are long and complex making them difficult to remember or even write down. For a better user experience you can change these settings. Also some devices make it difficult to tell them difference between the letter ‘O, l’ and the number ‘0, 1’, which leads to users having failed authentications. You could also reduce the number of characters to make it easier but mix it up a little to keep it a little complex. Step 1 Step 2 Step 3 Navigate to Guest Access > Settings > Guest Username Policy and update per policy as seen in Figure 74. Change the Minimum username length to 4. Under Characters Allowed in Randomly Generated Usernames, change the following: • • Alphabetic Remove ‘l’ and ‘O’ Change Minimum to 3 Numeric Remove ‘1’ and ‘0’ Change Minimum to 3 Cisco Systems © 2016 Page 66 SECURE ACCESS HOW-TO GUIDES Figure 74 Username Policy Step 4 Step 5 Click Save Navigate to Guest Password Policy and change the following as seen in Figure 75: • Password length: set to 4 • Minimum lowercase and uppercase: set to 0 • Minimum number: set to 4 • Minimum special: set to 0 Figure 75 Password Policy Step 6 Click Save Cisco Systems © 2016 Page 67 SECURE ACCESS HOW-TO GUIDES What’s Next After configuring your ISE server, you should do the following to validate that it’s working: For the Hot Spot Guest Flow Step 1 Step 2 Connect to the Guest SSID. Login to the Hotspot Portal. For the Self-Registered Guest Flow Step 1 Step 2 Step 3 Connect to the Guest SSID. Click on Don’t have an Account and create a guest account. Login to the Self-Registered Portal For the Sponsored Guest Flow Step 1 Step Step Step Step 2 3 4 5 Using a machine on the internal network, connect to the Sponsor Portal http://sponsorportal.yourdomain.com or use the Portal Test URL for Sponsor Portal Access. This is explained under the section, Setup ISE Sponsor Portal FQDN Based Access Login with a sponsor account. Create a guest account. Using another client, connect to the Guest SSID Login with the newly created guest account. For additional configuration options, please see Cisco ISE documentation at http://www.cisco.com/go/ise For general recommended configuration of wireless controller, please reference: How-to:Universal WLC Config Cisco Systems © 2016 Page 68 SECURE ACCESS HOW-TO GUIDES Appendix A – Wireless Configuration Here are the commands that the ISE Wireless Guest Setup Wizard adds to the wireless system after it goes through the WLAN Express setup: 'config network web-auth captive-bypass enable' 'reset system' —REBOOT— 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config 'config radius auth add 1 {ISE IP} 1812 ascii {RADIUS SECRET}', radius auth disable 1', radius auth retransmit-timeout 1 5', radius auth rfc3576 enable 1', radius auth network 1 enable', radius auth management 1 disable', radius auth enable 1', radius acct add 1 {ISE IP} 1813 ascii {RADIUS SECRET}', radius acct disable 1', radius acct retransmit-timeout 1 5', radius acct network 1 enable', radius acct enable 1', acl create guest-redirect', acl rule add guest-redirect 1', acl rule destination port range guest-redirect 1 0 65535', acl rule action guest-redirect 1 permit', acl rule source port range guest-redirect 1 53 53', acl rule direction guest-redirect 1 out', acl rule protocol guest-redirect 1 17', acl rule add guest-redirect 2', acl rule destination port range guest-redirect 2 53 53', acl rule action guest-redirect 2 permit', acl rule source port range guest-redirect 2 0 65535', acl rule direction guest-redirect 2 in', acl rule protocol guest-redirect 2 17', acl rule add guest-redirect 3', acl rule destination port range guest-redirect 3 0 65535', acl rule destination address guest-redirect 3 {ISE IP} 255.255.255.255', acl rule action guest-redirect 3 permit', acl rule source port range guest-redirect 3 0 65535', acl rule add guest-redirect 4', acl rule destination port range guest-redirect 4 0 65535', acl rule action guest-redirect 4 permit', acl rule source port range guest-redirect 4 0 65535', acl rule source address guest-redirect 4 {ISE IP} 255.255.255.255', acl rule add guest-redirect 65', acl rule destination port range guest-redirect 65 0 65535', acl rule source port range guest-redirect 65 0 65535', acl apply guest-redirect', acl create guest-acl', acl rule add guest-acl 1', acl rule destination port range guest-acl 1 53 53', acl rule action guest-acl 1 permit', acl rule source port range guest-acl 1 0 65535', acl rule protocol guest-acl 1 17', Cisco Systems © 2016 Page 69 SECURE ACCESS HOW-TO GUIDES 'config acl rule add guest-acl 2', 'config acl rule destination port range guest-acl 2 0 65535', 'config acl rule action guest-acl 2 permit', 'config acl rule source port range guest-acl 2 53 53', 'config acl rule protocol guest-acl 2 17', 'config acl rule add guest-acl 3', 'config acl rule destination port range guest-acl 3 0 65535', 'config acl rule destination address guest-acl 3 {ISE IP} 255.255.255.255', 'config acl rule action guest-acl 3 permit', 'config acl rule source port range guest-acl 3 0 65535', 'config acl rule add guest-acl 4', 'config acl rule destination port range guest-acl 4 0 65535', 'config acl rule action guest-acl 4 permit', 'config acl rule source port range guest-acl 4 0 65535', 'config acl rule source address guest-acl 4 {ISE IP} 255.255.255.255', 'config acl rule add guest-acl 5', 'config acl rule destination port range guest-acl 5 0 65535', 'config acl rule destination address guest-acl 5 {GATEWAY IP} 255.255.255.255', 'config acl rule action guest-acl 5 permit', 'config acl rule source port range guest-acl 5 0 65535', 'config acl rule add guest-acl 65', 'config acl rule destination port range guest-acl 65 0 65535', 'config acl rule source port range guest-acl 65 0 65535', 'config acl apply guest-acl', 'config wlan disable {WLAN ID}', 'config wlan exclusionlist {WLAN ID} 60', 'config wlan flexconnect local-switching {WLAN ID} disable', 'config wlan security wpa akm 802.1x disable {WLAN ID}', 'config wlan security wpa wpa2 ciphers aes disable {WLAN ID}', 'config wlan security wpa wpa2 disable {WLAN ID}', 'config wlan security wpa disable {WLAN ID}', 'config wlan security web-auth server-precedence {WLAN ID} local radius ldap', 'config wlan security web-auth disable {WLAN ID}', 'config wlan security web-passthrough disable {WLAN ID}', 'config wlan aaa-override enable {WLAN ID}', 'config wlan mac-filtering enable {WLAN ID}', 'config wlan broadcast-ssid enable {WLAN ID}', 'config wlan session-timeout {WLAN ID} 1800', 'config wlan mfp client enable {WLAN ID}', 'config wlan radius_server auth add {WLAN ID} 1', 'config wlan radius_server acct add {WLAN ID} 1', 'config wlan wmm allow {WLAN ID}', 'config wlan nac radius enable {WLAN ID}', 'config wlan acl {WLAN ID} none', 'config wlan ipv6 acl {WLAN ID} none', 'config wlan radius_server acct interim-update 0 {WLAN ID}', 'config wlan radius_server acct interim-update enable {WLAN ID}', 'config wlan ccx AironetIeSupport disable {WLAN ID}', 'config wlan profiling radius all enable {WLAN ID}', 'config wlan enable {WLAN ID}', 'save config' Guest-acl screenshot example: Cisco Systems © 2016 Page 70 SECURE ACCESS HOW-TO GUIDES Cisco Systems © 2016 Page 71 SECURE ACCESS HOW-TO GUIDES Appendix B – Switch Configuration Below is an example of a Switch Configuration file. hostname 3560CG ! vlan 50 name GUEST ! vlan 100 name Mgmt ! vlan 90 name access-points ! interface GigabitEthernet0/1 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/2 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/3 switchport access vlan 50 switchport mode access ! interface GigabitEthernet0/4 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/5 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/6 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/7 switchport access vlan 90 switchport mode access ! interface GigabitEthernet0/8 switchport access vlan 90 switchport mode access ! interface GigabitEthernet0/9 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/10 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan50 Cisco Systems © 2016 Page 72 SECURE ACCESS HOW-TO GUIDES ip address 10.1.50.1 255.255.255.0 ip helper-address 10.1.100.10 ! interface Vlan90 ip address 10.1.90.1 255.255.255.0 ip helper-address 10.1.100.10 ! interface Vlan100 ip address 10.1.100.1 255.255.255.0 Cisco Systems © 2016 Page 73